Brazil's Politicians Aim to Add Mandatory Real Names and a Right to Erase History to the Marco Civil

The Marco Civil Da Internet, Brazil's Internet bill of rights, was a unique achievement in modern law. Net users, academics, technologists, businesses and representatives of government all contributed to it in a lengthy consultation process, conducted using the very technology it was constructed to defend. Its scope and principles were publicly debated. Its drafters considered hundreds of edits and suggestions. Its final form was by no means perfect, but still contain some of the strongest protections for free expression and privacy online, net neutrality, and access to information. Signed into law in April 2014, it was a historic victory for positive collaboration that would form a solid foundation for future of Brazil's Internet.

Less than two years on, however, and some Brazilian politicians are already intent on undermining it, and the free Internet it supports.

A new Brazilian bill, PL215/2015, that in its original version would have established "greater rigor crimes against honor taking place on social media" is due to be presented for a vote in Brazil's lower house plenary very soon. Unlike the Marco Civil, the new bill has sped through its early stages. In its short life, PL215/2015 has managed to absorb a set of truly terrible ideas - the sort that would have been laughed off the web forums of the Marco Civil's earliest drafts.

One clause takes advantage of a weakness in the Marco Civil's privacy protections, turning it into a pervasive country-wide flaw for the compulsory extraction and collection of intimate personal data.

The Marco Civil's original Article 10 makes clear that all personal data collected by providers of connectivity or Internet applications can only be handed over to the authorities with a court order. One exception, however, was added to grandfather in an earlier law on money-laundering. Section 3 of article 10 conceded that a subscriber's "personal qualification, affiliation, and address" may be handed over without a warrant under this law.

The current text of PL215/2015 amends 10(3) to radically expand the list of items that can be obtained without judicial review, adding the e-mail address, telephone number, and the national identity number of any user. Then, with the addition of one word, obrigatoriamente (mandatorily), the amendment inverts the entire spirit of Article 10. PL215/2015 makes the collection of all of this information not only freely available to the government, but compulsory for providers to collect from their users. The bill transforms a tiny opportunity for the authorities to circumvent the courts into a universal requirement to collect and store subscriber's personal information. Now, every website and smartphone app provider must demand this information from their users, store it, and hand it over to law enforcement when they ask.

PL215 places an impossible burden on every Brazilian website or app creator, to no good end. Millions of innocent Brazilian Internet users will be obliged to hand over identifying personal data. That data that will inevitably be hacked from one of the thousands of sites and app servers that will be forced to host it at their own expense.

And of course that hacked data will then be used in crimes of identity theft -- including its use as the seed for the fake registration information that actual criminals, defamers, or just privacy-conscious citizens will inevitably use.

We know that this will happen, because this is what always happens. When South Korea introduced a similarly compulsory "real name" policy in 2009. By 2012, the endless leaking of citizen data, and the unconstitutionality of requiring a government ID before anyone could use any major website, led to the entire law being scrapped. It also did nothing to fix the problem it was trying to solve. As the country's Supreme Court noted in its decision revoking the law, "the system does not seem to have been beneficial to the public. Despite the enforcement of the system, the number of illegal or malicious postings online has not decreased".

An Internet-wide delete button for the rich and powerful

PL215 also includes an amendment to Marco Civil which allows a judge to order that any Internet content that connects a plaintiff to a crime of which they have been absolved, or is libelous or injurious to their reputation, be made "unavailable".

The authors of PL215 have made it clear that this is an attempt to replicate Europe's "right to be forgotten" in Brazil. But PL215's requirement goes far further than the European Court of Justice decision.

While the CJEU only concerned itself with delisting content from specific search engine search terms, PL215 gives the courts a blanket ability to require any site to take down content, using the vaguest of justification, and with no requirement to take into account current public interest, newsworthiness, critical review, or the need for an accurate historical record. There's no process for the decision to be challenged, no put-back process, no requirement that the deletion be minimized, nor any assurance that erroneous or malicious deletion requests be penalized. As dozens of Brazilian lawyers and activists have explained to the drafters, PL215 gives those with a vested interest in editing away critical commentary from news sites, blogs, archives and conversation—almost limitless power to re-edit the Net as they see fit.

The Marco Civil has its flaws, but the final law commanded respect because of the transparency and openness of its process. Every stakeholder in the Internet's future had a chance to point out problems and suggest corrections. Human rights advocates shaped its civil liberty protections; lawmakers and academics crafted its precise wording; businesses and technologists ensured its practicality. It was a better law because of the diversity of its authors.

The sprawling overreach of PL215's right to be forgotten, the burden that its real name registration requirements will place on Internet businesses, and the technical impossibility of successfully enforcing either provision on a global Internet, point to the tiny set of contributors to this law. Politicians, police and the powerful were the only stakeholders consulted in the crafting of PL215. They wanted a blunt legal weapon to silence Internet criticism and track and monitor Internet users. And if Brazil's voters don't stand up and tell their lawmakers to reject PL215, that's what they'll get.

Related Updates

Hiperderecho, the leading digital rights organization in Peru, in collaboration with the Electronic Frontier Foundation, today launched its second ¿Quien Defiende Tus Datos? (Who Defends Your Data?), an evaluation of the privacy practices of the Internet Service Providers (ISPs) that millions of Peruvians use every day. This year's...

Earlier this month, security researcher Victor Gevers found and disclosed an exposed database live-tracking the locations of about 2.6 million residents of Xinjiang, China, offering a window into what a digital surveillance state looks like in the 21st century. Xinjiang is China’s largest province, and home to China’s Uighurs...

Law enforcement access to data is in the middle of a profound shake-upacross the globe. States are pushing to get quicker, deeper, and more invasive access to personal data stored on the global Internet, and are looking to water down the international safeguards around privacy and due...

Update, January 18: EU ministers have failed to approve the compromise text—with Germany, Belgium, Poland, Sweden, Luxembourg, the Netherlands, Finland and Slovenia, Italy, Croatia, and Portugal all voting against the current Article 13/11 proposal. Keep up the pressure! If you’re in the Czech Republic, Luxembourg, Germany, Poland, Sweden...

To the extent that 260-page regulations can ever be said to be “famous,” Europe’s General Data Protection Regulation (GDPR) certainly had its moment in limelight in 2018. When it came into force on May 25, it was heralded by a flurry of emails from tech companies, desperate to re-establish their...

This year, we refocused our attention on Offline, our project that seeks to raise awareness of and provide actions readers can take to support imprisoned bloggers, digital activists, and technologists. Originally launched in 2015, Offline currently features six individuals from four countries whose critical voices have been silenced by...

Fundación Karisma, Colombia’s leading digital rights organization, just launched its fourth annual ¿Dónde Estan Mis Datos? report in collaboration with EFF. The results are even more encouraging than the ones seen in 2017, with significant improvement in transparency - five companies published transparency reports, and four publicly explained...

Today, EU negotiators in Strasbourg struggled to craft the final language of the Copyright in the Single Digital Market Directive, in their last possible meeting for 2019. They failed, thanks in large part to the Directive’s two most controversial clauses: Article 11, which requires paid licenses for linking to news...

EFF, as part of a coalition of over sixty other human rights groups led by Human Rights Watch and Amnesty International —still have questions for Sundar Pichai, Google’s CEO. Leaks and rumors continue to spread from Google about “Project Dragonfly,” a secretive plan to create a censored, trackable...